COICA (Combating Online Infringement and Counterfeits Act) is a legislative bill introduced in the United States Senate during 2010 that has been the topic of considerable debate. After my name was mentioned during some testimony before a Senate committee last year I dug into the details and I am alarmed. I wrote recently about interactions between DNS blocking and Secure DNS and in this article I will expand on the reasons why COICA as proposed last year should not be pursued further in any similar form.

Whenever I contemplate or evaluate a proposed security mechanism I like to consider how the opposition will react to it — what will be their next move? If I think the cost of "their" next move will be a lot less than "our" costs in deploying the proposed solution then I can dismiss the proposal on economic grounds. On the other hand if I think that "they" will actually be way better off after "we" force them to make their obvious next move, then I don't just want to dismiss the proposed solution, I want to sound the alarm. So it is with COICA, which is at best a weak proposal and at worst an incredibly dangerous idea.

Pirate DNS

If the US Government mandates some form of "DNS blocking" as protection for intellectual property against piracy, then the people in the world who want to publish and consume pirated content will have to decide what to do about it. They could decide to stop dealing in pirated content but the money involved makes that unlikely. They could move to a non-DNS rendezvous system like putting IP addresses into a Twitter feed but that would require never-ending manual labour by consumers which I think means publishers will not want to do it that way. What I would do if I were a publisher of pirated content and COICA got in my way would be to create an alternate root DNS system and tell my customers how to switch to it.

Virtually all alternate root DNS systems ever created have either failed or just sputtered along. This is due to unalignment between people who want to create alternative top level domain names and people who want to look up those names. The real (IANA) root DNS system has perfect alignment between name producers and name consumers because all name users use the IANA system. Outside of the IANA system, it's always one group of people who want to create alternate names and some other group of people with different incentives who would have to be convinced to do the work of switching to the alternate DNS system to be able to look up those alternate names. Such convincement has never happened and until I studied COICA I thought it never could happen.

In the COICA situation, there is once again perfect alignment between name producers and name consumers, because there is already perfect alignment between pirated content publishers and pirated content consumers. If COICA becomes law and if THEPIRATEBAY.ORG is then blocked by U.S. Government mandate, then I'd expect The Pirate Bay to create an alternative DNS system along the following lines.

First, they'd decide in advance to mirror the IANA DNS system as closely as possible. Anything that appeared in the IANA DNS system would automatically and instantaneously appear in the Pirate Bay DNS system. If ICANN goes ahead and creates a lot of new TLDs then all of those new TLDs would appear in the Pirate Bay DNS system as well, all pointing at ICANN's chosen registrars. In other words no existing DNS content would be overridden (or dare I say: "pirated".)

Second, they'd pick some new TLD that they wanted to create in the Pirate Bay DNS system that would serve their business needs and would be extremely unlikely to ever conflict with any future IANA TLD. For this I'm thinking .PIRATE or .PIRATEBAY or .ARGHHH but that's a decision best left up to the artistic team. For now let's assume that they chose .PIRATE so that their second level domain names would be content names like TORRENTS.PIRATE or ITS-A-WONDERFUL-LIFE.PIRATE.

Third, they'd hire a lot of server capacity all over the world to host their DNS system. Since their DNS system would have no pirated content on it — thus by itself breaking no laws — they would not have to keep it all on their offshore base. Some of this server capacity would be for their root name servers (sort of a small clone of the IANA root name server system and the VeriSign .COM name server system) and some would be for their open recursive name servers (sort of a small clone of the OpenDNS or Google DNS systems).

Fourth, they'd put together a simple system to grab the IANA root zone every few hours, add their .PIRATE TLD to it, and sign the modified copy of the zone with the Pirate DNS root key. This root key would have to be generated and signed in some kind of ceremony, maybe with people wearing viking hats and carrying swords and torches, and the resulting public validation key would have to be published on the web and managed according to RFC 5011 so that it can roll forward throughout all time. Videos from this ceremony would go up on YouTube.

Fifth, they'd write up some high quality documentation on how to use this alternate DNS system. The documentation would be in many languages since their customer base is world wide. This documentation would explain how consumers could configure their laptop or desktop or mobile devices to use the Pirate DNS recursive name servers, and also how ISP's and hobbiests could participate by reconfiguring their own recursive name servers to use Pirate DNS as their root DNS system (including the necessary Secure DNS key.)

Sixth, they'd launch it. I figure that within two to six weeks they'd convert 90% of their installed base from IANA DNS to Pirate DNS, after which they could just go on as before, pretty much ignoring COICA.

Seventh, optionally, they could create some high quality plugins for Windows and MacOS and Linux to use HTTPS for DNS lookups in case some of their customers wanted to be able to look up .PIRATE names from restricted environments like hotel rooms where DNS is hard to reconfigure successfully. Obviously Pirate Bay would have no problem operating the web servers for HTTPS but it's also arguably another service they could hire outside their base since the Pirate DNS content is not pirated and therefore nowhere illegal.

What's Our Next Move?

The whole scheme I've described above is practicable by any qualified sysadmin team, it doesn't take DNS experts. The total cost in capital is between USD 20K and USD 1M depending on how fancy they want to get. The total time it would take to deploy it (see steps one through six above) is about two months. That's "their" cost, and it would move them forever outside of "our" control. This is so easy that I suspect that they would already have done it except that right now — in a world without COICA — their customers aren't aligned yet, there's no motivation to switch over. Given COICA I think there would be perfect and immediate alignment.

At this point in the story the producers and consumers of pirated content would not be using the IANA DNS system so while the rest of the world would be stuck with the costs and complexities of COICA the biggest publisher of pirated content on the Internet would be unaffected. So far we've driven our own ongoing costs up far more than we've driven the pirate's costs up, and we're back where we started except with fewer options. But as bad as it sounds that's not the worst of it.

The next worry is copycats. Once there's an existence proof of this I'll expect the publishers and consumers of other illegal or protected materials to create similar systems since there is again perfect alignment between name producers and name consumers. Some alternate DNS systems might even respect the alternate TLD allocations that occur in other alternate DNS systems as a convenience to their own customers. Countries who want to block certain new IANA TLD's (and here I'm thinking of .XXX) could do this in-country and force alignment by mandating the use of that country's DNS system by all in-country ISP's and enterprises and end users. But even as much chaos as this would create, it's still not the worst outcome from COICA.

My greatest worry is what people will do to bypass all this junk or to prevent other people from bypassing it. My fellow humans are a proud and occasionally adversarial bunch and they don't like being told what they can't do or what they have to do. The things we'll all be doing to bypass the local DNS restrictions imposed by our coffee shops or our governments or our ISPs will break everything. Where this ends is with questions like "which DNS system are you using?" and "which DNS systems is your TLD in?" which in other words means that where this ends is a world without universal naming. We adopted DNS to get universal naming, and today we have universal naming except inside Network Address Translation (NAT) borders. Universal naming is one of the reasons for the Internet's success and dominance. If we're going to start doing stuff like COICA then we should have stuck with a "hosts file" on every Internet connected computer and let every connected device decide for itself what names it recognized.

Advice to the U.S. Government Concerning COICA

I'd like to say simply don't do COICA but I guess that's already been said and the discussion has continued so I'll continue also.

The Internet is not a thing but rather an emergent property of the cooperation of all the people who connect their devices to it. That cooperation is a grant not a mandate, and that cooperation can be withdrawn or altered at only modest cost. The Internet is what in politics is called a "coalition of the willing" and noone has ever successfully imposed unilateral terms here. If the Internet were a regulated empire that could accept something like COICA then quite frankly the proof of this would be that the U.S. Government could have stopped spam and malware and Child Abuse Materials and phishing all with the stroke of a pen or the suspension of payments or the imposition of taxes or the dispatching of armed forces. However, those tools have no direct effect on the Internet.

The Internet's social contract is a thin and fragile thing, and it's the responsibility of every country and every government and every operator and every user to try to hold it together. It is within the power of the U.S. Government to try to impose its will on the Internet, but the results would be neither as you expect nor as any of us desire. Relevant and sustainable contributions to the Internet take the form of creation not prevention, and are multilateral and cooperative not unilateral or imposed. I hope that the U.S. Congress will keep searching for ways to protect intellectual property until one is found that does not threaten to act as a "sheer force" against the Internet's fundamentally cooperative infrastructure.

I hope that next time my name comes up in congressional testimony about COICA it will be in the context of these remarks.

By Paul Vixie, CEO, Farsight Security. More blog posts from Paul Vixie can also be read here.

Comments

>That's "their" cost, and it would move them
>forever outside of "our" control.

Many sovereign governments have “escaped control” using I-DNS, they did this because of the arrogance imposed upon by refusal to support their decade of request for IDN TLD support.

China was the most recent country to “split the root” in addition to many others.

These root splits have failed to create the suggested chaos.

I think I-DNS is still selling Chinese IDN versions of .COM and .NET for $75, been doing that since 2006. And as I recall I-DNS’s root splits go back to ~2000.

The current desire to split the root comes from lack of accountability as stake holders become more and more fed up. I certainly prefer standards and a unified system for the many benefits we’d all gain. What we have is command and control which is now asking for more command and control thus continuing to ignore why the root is continuing to split.

It has been my observation in life that people are good and want to work together.

Fortunately that masses are awakening ..... Is root splitting only allowed at the level of governments?

Many sovereign governments have “escaped control” using I-DNS, they did this because of the arrogance imposed upon by refusal to support their decade of request for IDN TLD support.

I-DNS has not succeeeded, as witnessed by the continued pressure on ICANN over the years to support IDN TLD's, and by the wave of excitement and growth that has occurred recently as ICANN has actually been rolling out IDN TLD support. I-DNS is a perfect example of what I mean by "insufficient alignment" in that the name producers and name consumers mostly never found each other. The potential interest on potential name producers and potential name consumers was never actualized until ICANN started putting IDN TLD's into the IANA DNS system. I-DNS is also a perfect example of what I meant by "sputtering along". My concern about COICA is that it is capable of creating immediate and perfect alignment between a set of name producers and a set of name consumers, thus enabling the first successful alternate DNS system.

I take your point that the Internet only works because so many people want it to work; the collaboration is much more important than any of the technologies, which tend to be pretty weak in any case. I make that point all the time in my public addresses.

Want to kill COICA for good? That's easy: Just help organize an effective, voluntary system to addresses the problem of criminal behavior on the Internet, and COICA doesn't need to happen.

If the community itself had been taking Internet crime seriously instead of sweeping it under the rug as a cost of "Internet Freedom," COICA never would have been written. In any case, a more general approach to marginalizing Internet criminals is preferable to an industry-by-industry approach.

The trouble is that a collaborative response to Internet crime can't pick and choose between good laws and bad ones.

That's easy: Just help organize an effective, voluntary system to addresses the problem of criminal behavior on the Internet…

This must be some strange new usage of the word "easy" that I wasn't previously aware of.

Which nation's laws do you enforce? The subset of law that is common to all nations which participate in the Internet? The union of all law? Some arbitrary nation's law (in which case you will never obtain a unified effort)?

Which part of the law do you enforce? Just the criminal law, or also civil matters such as libel and copyright infringement? If civil matters are included, how is the violation brought to the attention of the enforcement body? Does the body require that the injured party press charges, or do they actively police civil matters in the same manner as criminal ones?

How do you enforce the law? Does some representative of this crime-fighting body conduct an investigation and determine that a party should be disconnected from the Internet? What are the standards of evidence? Does the accused have a right to present a case? How is the punishment made to stick, given the ease of near-anonymous Internet usage?

The kind of enforcement action that has seen some modest success is that of policing network abuse, as opposed to policing use of the network for nefarious purposes. These two things overlap quite often: the nefarious party has little respect for social norms that conflict with his own wants, whether they be codified in law or not, so often the network abuse is just a means to the end of some broader nefarious purpose. Even so, we must draw a distinction between network abuse and more general criminal activity because of a matter of "alignment", as Paul puts it.

Those of us who use the network tend to have a lot in common. We want to be able to reach the sites we use; we don't want our inbox to be full of spam; we don't want our passwords, credit card numbers, or other personal details to be compromised; we don't want bad guys to have undue access to resources which belong to us in general. These factors align us against the malicious minority who interfere with these peaceful goals. We rarely agree on how to address the issue, but at least we are aligned as to the nature of the problem, so compromises can be reached as to what is and is not an acceptable countermeasure.

In the case of law more generally, we have little such alignment. Even where nigh-universal alignment exists against the crime itself — paedophilia, for example — we lack alignment on the matter of responsibility. Few users think that their Internet Service Provider should intrusively monitor all traffic in an attempt to locate paedophiles — particularly if they are informed on matters of encryption and botnets. With COICA, we don't even have alignment on the problem itself, let alone the enforcement mechanism.

There can be no successful collaborative response to Internet crime without general alignment on the underlying issues. As Paul points out, there will be no successful governmental response to Internet "crime" (given attempts to criminalise things that a sufficiently large portion of network users want to do): it will just fragment and Balkanise the network, reducing its overall utility without preventing the "crime".

Want to kill COICA for good? That's easy: Just help organize an effective, voluntary system to addresses the problem of criminal behavior on the Internet, and COICA doesn't need to happen.

COICA already doesn't need to happen. If every time any nation wants the Internet to not contain some content which affects only that nation's economy then the Internet has to adapt, then the Internet's method of adaptation will just be circumvention. We can criminalize some universal things like Child Abuse Materials and I do think that ICANN should fix the whois accountability problem and also create a rapid takedown mechanism so that if InterPol reports 400 or so active domain names currently serving up Child Abuse Materials then the Internet community can respond as a cohesive unit by stomping the domains. We should also make it much harder in the future for such crimes to go unprosecutable due to lack of accountability.

If USGov wants to universalize economic crimes then it can work on this via treaties with other nations, but for IPR protection this goal has proved elusive. COICA as a form of unilateralism and as an end run around the Internet's cooperative and consultative governance model can only backfire in that the result would be a world that nobody wants.

I understand that some people believe "information wants to be free" and want nothing to do with any measure that seeks to reduce Internet piracy. So leave that aside.

Internet crime is still a significant problem: Extortionate DDoS attacks, phishing, identity theft generally, terrorism, and child porn demand an adult response from the Internet community, and too many people are willing to hide their heads in the sand and pretend otherwise.

Who's going to step up to this challenge?

Microsoft just took down the Rustock botnet after years of work, tremendous expense, and the cooperation of the US Marshalls. Can efforts of that sort be generalized and broadly supported, or will be see "Internet Freedom" advocates stomping Microsoft for breaching the Rustock operator's "free speech rights?"

I understand that some people believe "information wants to be free" and want nothing to do with any measure that seeks to reduce Internet piracy. So leave that aside.

I want to make sure that the record shows just how far aside I have left that idea — I completely disagree with this point of view and I can't imagine how you could attribute it to me via anything I've said here or elsewhere. Information that is somebody's property should be subject to the control of that owner, and the rights of that owner supercede the rights of the consumer. Information should only be free if the creator of that information wants it to be free.

Internet crime ... Who's going to step up to this challenge?

Who, as in privately? A: a lot of companies and individuals will continue stepping up to this challenge — by supporting and protecting the private right of action by victims. Who, as in publically? A: I am hoping that ICANN will step up by completely changing the way whois is populated and operated in order to assure accountability by all holders of Internet resources, and by creating a rapid takedown mechanism for domains used in the commission of universal crimes (such as the distribution of Child Abuse Materials).

I understand private filtering as a response to the lack of accountability in the ICANN whois system that then causes all kinds of dangerous and damaging domains to exist and to be unprosecutable and unactionable. I do not understand mandated filtering as a response to the same, since the powers who can mandate such filtering could instead mandate the necessary accountability, thus preventing the problem upstream instead of dealing with the resulting flood waters.

But I would accept the downstream approach, inefficient though it would be, if I thought it could be effective which it can't or if I thought that the next steps taken to circumvent it wouldn't leave the good guys in a worse position than when we started which it must.

Pardon me if I seemed to suggest you're an "information wants to be free" guy, Paul; of course, I know you're not. The EFF is full of them, however, and many of the people who signed their anti-anti-piracy letter feel that way.

I agree that the problem of Internet crime is enabled by the overly-broad assumption of anonymity that domain owners enjoy. While I understand the value of anonymity for whistle blowers and the like, but don't see how that applies to businesses operating for-profit on the Internet.

And yes, collaborative approaches to Internet self-management have always been the most effective and perhaps the only way to really get things done; government mandates are routinely ignored, always have been, and in some cases, should be ignored.

I think the best way to get a handle on Internet crime is through the voluntary use of domain blacklists by ISPs and other DNS providers; it's abundantly clear that the system is practically boiling over with malicious sites, so the assumption that we're all good guys simply doesn't hold up.

Indeed, you've described my motives for creating both the original RBL back at MAPS for SMTP reputation, and now the DNS RPZ here at ISC for DNS reputation. Private right of action is how the Internet always works.

Governments don't generally appreciate the fact that the Internet is a multi-stakeholder system that runs on consensus, and neither do the industries whose history predates the Internet. The solutions to many of the problems that policy makers have with the activities the Internet enables today are likely to come from multi-stakeholder collaboration in which government is a member of the system rather than its overlord. Chris Marsden calls this the "co-regulatory system."

How does one define "success" as the centralization of a system designed to be decentralized?

Regarding TLDs I saw far more innovation before the US created ICANN, and ICANN tried to get sovergn contries to sign over their ccTLD's through "redeligation" contracts. Fortunately most did not sign and thus are also not under "our" control ....

How can success exist when countries are still denied native language TLDs?

To put a finer point on a statement above, it appears to me the US GOV wants to harmonize other countires local laws (aka overide them) through the contract system using ICANN as the proxy to the registration contract / TOS that is required for each gTLD registration event by ICANN. Since ICANN runs the TLDs under contract to the US GOV, this gives the US Gov a direct path to the registration contract of each and every gTLD registration (most of the worlds registrations).

For simplicity, registrars are not going to use seperate contracts for each TLD, whatever is required for .COM (for example) will wind up being required of all offered TLDs.

How does one define "success" as the centralization of a system designed to be decentralized?

You can decentralize your connectivity either as an information producer or an information consumer. You cannot decentralize allocation functions where uniqueness is required. I define success to mean that naming and addressing are universal which means they have to be coordinated (as ICANN does) and therefore somewhat centralized.

As a root name server operator I completely understand the value of decentralization which is why F-root is anycasted from 40-odd locations around the world. But the root zone we serve will always be the unmodified IANA DNS root zone, because even though root DNS service has to be decentralized the root DNS content has to be universal.

How can success exist when countries are still denied native language TLDs?

To the best of my knowledge, IDN TLDs are being rolled out even as we speak. I know it took years longer than it should have, but since it is finally happening I think we should not be discussing this as a counterexample for centralization.

Uniqueness only occurs at the TLD level, not across TLDs, this is why I-DNS has succeeded and why China used them and resolved their system using a server that is part of the canonical root chain.

There is NO requiement or need the centralize TLDs. If there were then we could not lose "our" control to others setting up alternative DNS systems. You can't have it both ways.

>I-DNS has not succeeeded,

I recall well when people recognized what China had done by their root split, I remember well how motivated ICANN suddenly became to finally address this issue. I'd say that is reason enough to say I-DNS has been a great success, having China select them sure did not hurt.

As with ccTLD's comparing IDN reg rates to .COM totally misses the point. IDN TLDs will generally be specific to their region, just as ccTLDs will be. An IDN TLD with a single registration is just as valid as all the .COM registrations, they each address different needs.

If I-DNS is not considered a success, then the idea of some group setting up their own TLD, as suggested in the article, must be far less of a threat to the point of not being worth considering.

I suggest the real lesson of I-DNS is the threat true competition represents and the return of intenet innovation that could result by implementing alternative DNS system.

My vocal concerns about RPZ being used as a system of censorship, and your recent admission to this potential, is PRECISELY what I was getting at regarding the intenet having a decentralized design. Any time we hand our decisions over to others we've set ourselves up for a bad future. The more alternative DNS systems the better, the is the only way internet freedom and free speech is going to be preserved.

I hope everybody ponders well what centralization recently got us:

http://www.boingboing.net/2011/02/17/dhs-erroneously-seiz.html

So in the interest of "keeping us safe" 10's of thousands of sites were labeled child porn sites. I wonder how many small businesses were involved and may have even lost most of their customers over this. In this case the error was so staggering that it was exposed and thus the world was notified. And what happens when it's not exposed and it's your website that gets taken down with no recourse? It was just "an error" and you have no recorse becuse you allowed a contract to replace the legal system and the checks and balances you'd have access to under it?

Of course when you are the central authority there will always be motivation to invalidate alternatives, this is monopoly 101 stuff.

>Extortionate DDoS attacks, phishing, identity theft generally, terrorism,
>and child porn demand an adult response from the Internet community,
>and too many people are willing to hide their heads in the sand and
>pretend otherwise.

There is always something to fear, is'nt there?

Some new reason to give up more of our freedoms ..... For our own good .....

>Legal doctrine is fine and dandy as long as the
>cops are legal scholars and everyone has deep
>pockets for a courtroom defense.

If that is the problem, and we allow it to continue or get worse, then we deserve what we get. That's what I'm seeing now regarding to "solutions" for issues of the internet.

Just like the 83,999 websites I mentioned earlier.

>In the real world, however, people often have to prove
>that their exercise of self-defense as they see it
>doesn't conflict with someone else's perception of
>contradictory rights.

Just like the 83,999 websites I mentioned earlier.

Having that behavior instantiated in a registration contract is not a solution we should be embracing.

No system is perfect, and things are always changing. We can only ever try to incrementally tweek in a desired direction. We can also generally choose to asymptotically approach "perfection" from the "side" that allow some bad guys to go free, or some good guys to be forever labled as bad guys.

Guess which "side" I prefer. I'd rather see some bad guys go free once in a while than mess with someone who did nothing wrong. Espically labeling them as "child porn" distributors (mooo.com).

And then we have the issue of one country deciding another countries "acceptable" and "unacceptable" behavior via domain name morality. That's always a bit easier when you are the one given control over someone else, not so easy when you are on the receiving end ... Power currupts, and so on.

Lets go back to root causes and stop trying to use the domain name as the proxy for the bad guy and thus we have "bad domains". Lets take advantage of the domain to find the bad guy and hold them responsible, and not hold the domain responsible. Can't find them? EPP has a delete command ....

Since we're now at the stage where different people are using words differently and then arguing about those differences, I'll make sure the record is clear.

… I-DNS has been a great success, having China select them sure did not hurt.

If your metric for alternate DNS success is that you successfully pressured ICANN into rolling out IDNs then I'm fine with the above characterization if that's what happened in this case (I have not been following the IDN TLD story carefully enough to know one way or the other). My metric for alternate DNS success is relevance for the total population of name consumers and sustainability for the name providers. I have no worries about flashes in the pan designed to produce a long term effect elsewhere, but it's a different goal than I was describing. Pirate DNS would be successful in a COICA world because it would be completely relevant to all Pirate name consumers and completely sustainable for the Pirate name producers.

That's a two pronged nonsequitur, since it is not an example of "centralization" unless by decentralized you mean you'd like there to be no TLD registries capable of having court orders served on them, and it is not even close to the level of intrusive government mandate contemplated by COICA since under COICA the operators of recursive name servers would have a continuous rather than discrete burden. The Internet depends on universal naming and addressing, and on the uniqueness of identifiers used by the infrastructure. If you wanted to build a new Internet that lacks universal naming and addressing and does not require uniqueness of infrastructure identifiers you'd be starting pretty much from scratch. To my mind that means that we have several necessary forms of "centralization" today and that part is working just fine and will continue to be just fine unless some government imposes unilateral policy (like COICA) on the global naming system.

You and I both know all to well that "universal naming" is defined by the client's two DNS server IP settings, nothing more or less.

Adding, splitting, remapping are as easy and in fact your article discussed what is needed to do it.

>Pirate DNS would be successful in a COICA world because
>it would be completely relevant to all Pirate name consumers
>and completely sustainable for the Pirate name producers.

And here we completely agree, I simply extend the discussion space by recognizing the continuum over which there is motive for alternative DNS options. That means for every "evil" example one can give there will be good and useful examples are well. In fact there is no reason to look at the current embodyment as examplifying the idea best case.

I feel the root causes are being ignored and I'm seeing DNS changes, tech, policy, legal, moving in a dangerous direction. Unaccountable censorship.

There was a time, and I remember it well, we people actually feared placing invalid info in their whois, now it's a joke. In fact ICANN escrow does not even require the actual whois, privacy whois may be used.

Then we have "promotional registrations" and everytime I see free or dirt cheap registrations I cringe as I know the next pool of registrations is going to be spun through for spam, malware, etc, in effect lower the cost of these operations.

And now we are talking about "lists" .. Bed guys "lists", like 4 year olds on no fly lists, or a great keyword with organic traffic that will forever be on "the list" for whatever reasons that nobody is required to publicaly articulate and be held accountable for.

Focusing on domain names, you place privacy whois on a domain the domain gets DELETED. That's a policy change I can live with. And I think the results will be more significant than people think. Laws were past long ago requiring whois accuracy, and now for some reason we all act like that never happened. I'm aware that there are some very valid reasons for privacy but the ones I'm aware or can be satisified using a POB. At this point in time I feel that's a more prefered burden than selecting some "decider" of good and evil on the internet and empowering them to shutdown domains.

Someone does something illegal, by defintion they already broke the law, no additional internet policies or "features" are needed. We just need to find their butt and hold them accountable. And if we can't, by definition that means their whois was bad. POOF! Their domain just got deleted! And my read is that is exactly what we have right now, but nobody is enforcing it, we act like this option does not even exist, as law and policy.

You and I both know all to well that "universal naming" is defined by the client's two DNS server IP settings, nothing more or less.

Of course. On the Internet, cooperation takes the form of following a certain convention. Proof of the value of convention can be seen in the fact that the U. S. Congress is not simply proposing a new name space in which IPR is protected at the domain level — they are proposing to alter the content of the name space we already have. That's because the convention we are all following at the moment, which gives rise to universal naming, makes that name space incredibly relevant.

In fact there is no reason to look at the current embodyment as examplifying the idea best case.

To me, the existence proof is a compelling argument. We all like the Internet and every dollar and every bit of the Internet's success is due to universal unique identifiers for its infrastructure. Any proposal as to how some other kind of Internet that lacks this type of "centralization" in its identifier system would start out as a theory then needing to be comprehensively tested by someone trying to bring it to market. For now there is no cause for any belief whatsoever that an Internet lacking "centralized" (universal and unique) identifiers could thrive as well as the current Internet has thrived.

I'm aware that there are some very valid reasons for privacy but the ones I'm aware or can be satisified using a POB. At this point in time I feel that's a more prefered burden than selecting some "decider" of good and evil on the internet and empowering them to shutdown domains.

Not to pound the table or anything, but we already selected our "decider" on good and evil by creating a field of nations with governments and police forces and laws. So while I agree that complete and accurate whois is the more important to the safety of the Internet and the health of the economy, I also know that if InterPol or some similar agency assures ICANN that a given domain name is live right now and serving right now some Child Abuse Materials, then we need a rapid takedown not just accurate whois or some kind of blocking. I'm willing to debate the universality of economic crimes, whereas I'm not willing to debate the harm done to children by the distribution of Child Abuse Materials. ICANN should not debate that point either. That's why I'm calling for accurate whois and rapid takedowns on crimes that are considered universal. (Where, again, for the record, economic crimes such as piracy are not considered to be universal and won't be without a lot more treaty work.)

>Any proposal as to how some other kind of Internet that lacks
>this type of "centralization" in its identifier system would start
>out as a theory then needing to be comprehensively tested by
>someone trying to bring it to market.

Not what I was suggesting.

The above pirate space example can provide glue records back to the current root chain, user DNS selection is the only thing defining the difference. I'm saying the space that is currently defined does not means it's the best we can do. As to how names are resolved, that's a separate issue and need not change.

In other words I'm looking from it from the user perspective that just wants the site to come up in their browser, they don't care how the name resolves as they don't see that as part of their experience.

Alternative DNS does that using the current tech.

As a thought experiment:

If my greatest concerns come true, and people get fed up, alternative DNS systems come online and people leave the ICANN root in the dust. Thus the people speak and say the previous embodyment was not ideal after all.

Again focusing on end user experiance. The end user I hardly ever see mentioned or considered in these discussions.

> if InterPol or some similar agency assures ICANN

"First they came"

First they came for the communists,
and I didn't speak out because I wasn't a communist.

Then they came for the trade unionists,
and I didn't speak out because I wasn't a trade unionist.

Then they came for the Jews,
and I didn't speak out because I wasn't a Jew.

Then they came for me
and there was no one left to speak out for me.
- Pastor Martin Niemoller (1892–1984)

"Trust" no one, always verify. Especially when we are talking world/borderless scope. This may well be the end of the road.

Yes the ALT DNS option is still there .... But then we have BIND sitting there now with built in censorship support and for years now I've seen ISPs capturing ALL DNS QUERIES and forcing them back into their resolvers. BIND, through centralized government list distribution, could overcome the 48 hour TTL of a domain zoned at the root via an InterPol published ban list that ISP's implement in the name of "Patriotism". That's could be a great 60 second "fast takedown" mechanism in the hands of a privileged few and no accountability.

No. Where the context is Child Abuse Materials I won't be verifying reports of same. The world's police forces have special training and auditing for this; I do not. I used InterPol as my example because we just heard them speak at the ICANN meeting on this very topic. Not everything that's ever been done in meat space has to be reinvented and done differently in cyberspace. Existing police methods for determining that apparent Child Abuse Material really is what it seems to be and is not synthetic or otherwise non-actionable are working fine — so in this case I see no reason why we Internet people would try to duplicate that capability or try to improve on it.

Of course in the more general case where the alleged crime is not universal (for example an economic crime such as theft of intellectual property) or where verification does not require special training then I'd expect the rapid takedown mechanism to include some verification. That was not my example and so "trust but verify" is not part of my example either.

BIND ... That's could be a great 60 second "fast takedown" mechanism in the hands of a privileged few and no accountability.

Noone has proposed that. I'm looking to ICANN for a way to get the registrar or registry to quickly take down the domain itself. I do not advocate mandatory blocking, all of the new BIND9 features for policy filtering (as of 9.8.0) are intended for private filtering by private right of action.

>No. Where the context is Child Abuse Materials
>I won't be verifying reports of same.

I'm going to maintain my stance. ALL requests gets reviewed, period.

I'm also going to point out that in the case of MOOO.COM a 3rd party review by someone with a clue how infrastructure works, might have avoided 83,999 people from falsely being labeled, by the US Government, as distributors of child porn and the effect that had on their reputation.

They know child porn, great! We know wild carding and shared dynamic DNS ..... And all the other stuff the RFC's explicitly state as forbidden ...

It would seem those authorities took the same position of "Not everything that's ever been done in [cyberspace] has to be reinvented and done differently in [meat space]." Thus they had no clue what they were doing in cyberspace.

"Trust" no one.

Checks and balances, due process, call it what you will. When it comes to shutting down a domain name we must NEVER give one single organization total unquestioned authority to do so.

I'm not willing to debate the harm done to children by the distribution of Child Abuse Materials. ICANN should not debate that point either.

Neither will I.

That's why I'm calling for accurate whois and rapid takedowns on crimes that are considered universal.

...but I am willing to debate your proposed remedy. By promoting domain name take-downs for any reason, you are tempting the creation of "pirate" DNS. Unilateral take-downs by law enforcement bodies violate the principle of due process. The US Government has only recently given us a graphic reminder of why this is a bad thing. If people think that their due process rights are likely to be violated, they will flock to "pirate" DNS in droves.

Some would argue that the suspension of a domain name serves only to prevent further commission of a crime in progress, but the suspension of a domain name is the equivalent of an Internet death penalty when one has relied on the DNS to do what it does (and thus advertised the availability of one's services at a particular domain name). Once that name is gone, your service is no longer reachable. That's what makes it attractive as a law enforcement mechanism: it's the simplest plug to pull. But if you pull the plug on an innocent party, the harm is large and instantaneous, potentially ruining someone's livelihood. That is why due process is necessary.

The role of police should not be to take down anything. Taking down a Child Abuse Materials site doesn't even serve to bring the perpetrators to justice, which should be the aim. Take-downs are modestly effective at censorship and disruption of trade, but these are not the approach we should take to Child Abuse. Even mandatory accurate Whois does little to serve this situation: ideally we want to trace all the producers and consumers of the material, and prosecute the lot. One accurate identity in a Whois database makes prosecution look easy, but what of the many others who are necessarily involved in the scheme?

If our aims with law enforcement are to locate and prosecute the people involved, then we are best served by maintaining the existing system in a manner that is not egregiously biased towards the needs of law enforcement. From the perspective of a DNS registrant, the ideal system is one in which they can register a name (for a reasonable fee) without disclosing their own personal details, and with the assurance that the DNS will maintain that identity for the duration of the term. The less like this we make the DNS, the greater the incentive to deploy a "pirate" DNS that is like that. "Pirate" DNS will be designed to make it difficult to trace registrants and to disrupt service, and if it becomes popular, law enforcement will lose the advantages offered by the existing system. On top of that, we may lose universal naming in the process.

If our aims with law enforcement are to locate and prosecute the people involved ...

Let's find out what our aims with law enforcement ought to be. They've come in and asked for accurate Whois and rapid domain takedowns and they've explained their reasons for wanting each. Now let's see ICANN's bottom up community engagement process argue these requests.

One of my concerns about Whois privacy is that to the extent that ICANN relies for relevance on the consent of the governed, there is no public benefit in Whois privacy, only private benefit.

In any case I welcome real debate about accountability — accurate Whois and rapid takedowns in cases where a universal crime is ongoing — as something ICANN might do to better fulfill its public benefit charter and to provide what may be a better answer than COICA for intellectual property protection.

The need to make one's contact information public has a chilling effect on those who want to set up a personal domain which promotes views that offend people in their locality who might be willing to ostracise, lynch or execute them for expressing those views. Arguably this is a private benefit, but I think the Internet is made a better place on the whole (thus, public benefit) when the ability to create such resources is not limited to corporate bodies who can legitimately hide behind a corporate identity.

That is where technical people should come together, why is it ok in this case to have a third party solve the problem?

On this point we agree, as I stated in the Taking Back the DNS article. US law requires the Whois to be accurate and yet at the same time Privacy whois is now allowed. And so privacy whois is allowed but the same permissve central authority will solve the problem? That makes no sense.

Registrars are in a position to require accurate whois. In fact Registrars generally have full accurate whois information used to pay for the registration, yet we're discussing censorship tools rather than simple solutions of registration accountability in the first place.

The need to make one's contact information public has a chilling effect on those who want to set up a personal domain which promotes views that offend people in their locality who might be willing to ostracise, lynch or execute them for expressing those views.

That's an argument for being able to social network anonymously but it hardly justifies having a domain name anonymously. A domain is in Internet terms an identity, and allowing such identities without any domain holder accountability is a unique-to-the-Internet form of identity-laundering. Of the 1.6 domains created every second through the GoDaddy system (as reported on stage during the ICANN meeting this week) I expect that at most "one a month" and perhaps as few as "none ever" are being used by activists and others who have reasonable fears of meatspace retribution.

Arguably this is a private benefit, but I think the Internet is made a better place on the whole (thus, public benefit) when the ability to create such resources is not limited to corporate bodies who can legitimately hide behind a corporate identity.

A corporate identity can be pierced as necessary through the courts but is usually a matter of public record. Not so a domain with bad Whois which becomes a credible and usable anchor and rendezvous point and brand for illegal commerce or fraud or spam since the real domain holder need never be recorded anywhere. This kind of wild west atmosphere is what's helping to convince the U. S. Congress that something like COICA is actually needed. Must we continue on the current path of devaluing domain names into random meaningless untrackable character strings? If so then both private and mandated filtering — and the consequences of both — are probably inevitable.

Just because the internet is unique does not mean it's somehow wrong or defective. Here we find a benefit. The domain is not just an identity it's a meeting point and a link with significant search engine reference implication. It has value associated with it's development or "traffic" one builds to get people to it. There is also a huge difference between social networking and domain name based publishing, back to the value search engines give to that publishing point or "address" which is not preserved in social networking.

There are also the free subdomain websites which give the publishers all these benefits but at the cost of possible censorship. There is also the option of lying on the whois for ones domain at the cost of losing the domain for false whois.

This really does suck as I to would like to preserve such speech. Thinking out loud here:

However that's the problem. The people seeking the child porn see nothing wrong with it, we do. The folks seeking the head of the above mentioned publisher see something wrong with the content and we don't. The law is what distinguises the two but otherwise they can't be seperated. Thus circling back to accountability. The content is the content, one moment, or in some location, it might be legal/acceptable or it might not. So long as the price for invalid whois is loss of the domain, and not criminal charges for the "error" then there is a place for free speech to hide it's identity in (a possible slippery slope there, I admit). In other cases it's not the whois that started the problem its some law that was broken which then motivated inspection of the domain details. So one would hope the magnitude of the crime has far greater significance that the implications of bad/false whois.

Even then I think this mostly just applies to those that can't afford a PO Box, which is admittedly an order of magnitude cost increase over the domain registration. The most poor can probably be argued as not having effective access to the internet to begin with. So were going to have those two brackets without the desired level of access they want. Others having the internet and the means for a POB.

I'm also concerned with someone moving, and forgetting to update their whois, and then getting it deleted. At least the current delete cycle allow redemption, it's costly but it's likely motivation to keep a closer eye on ones whois after properly updating it. So there is a procedural issue here related to allow the registrant to redeem a domain, a right that would be lost if deleted do to legal action ... But in which country, the registrants or the one of the person complaining ... So we're right back to 3rd party review and holding the complaint accountable. As has been seem from UDRP, if you complain too much for no valid reason you should get the penalty and your further complaints IGNORED.

That's an argument for being able to social network anonymously but it hardly justifies having a domain name anonymously. A domain is in Internet terms an identity, and allowing such identities without any domain holder accountability is a unique-to-the-Internet form of identity-laundering.

An IP address is an identity, as is a Facebook login, a Yahoo! email address, and so on. What you can do with these identities varies thanks to the nature of the services to which they are attached, but for some reason we single out the domain name as requiring a public record of the party associated with the address. Sure, we have Whois for IP address blocks as well, but that only identifies an ISP, not an individual. The DNS equivalent would be to have Whois that stops at the registrar level (which is approximately what "privacy protected" Whois does).

When LE wants to know who's behind an IP address or Yahoo! email address, they liaise with the appropriate service provider. Why should DNS be different? The simple fact is, I think, that LE is accustomed to DNS-Whois being convenient, and they would like to demand that it be as convenient as possible. Sadly, personal freedom and convenient law enforcement are often at odds with each other.

Of the 1.6 domains created every second through the GoDaddy system (as reported on stage during the ICANN meeting this week) I expect that at most "one a month" and perhaps as few as "none ever" are being used by activists and others who have reasonable fears of meatspace retribution.

Quite possibly. Perhaps you would also agree that the vast majority of them are being created by miscreants using false information, probably including a stolen credit card. These miscreants have no expectation of ongoing service: that's why they bulk register so many names — it's their natural churn rate. Given any window between availability of the name and verification of personal data, they do not need to provide factual Whois data. So I would counter that the number of criminals inconvenienced by the demand for true Whois data is at most "one a month" and perhaps as few as "none ever". So while mandatory public Whois wouldn't harm many people who have legitimate reasons for not going public with their identities, it also wouldn't catch many crooks. It's therefore not worth sacrificing the legitimate cases, despite their small number.

There are other reasons for not publicising Whois. It facilitates identity fraud in relation to domain name transfers, for example, when the registrant's contact information is a matter of public record.

for some reason we single out the domain name as requiring a public record of the party associated with the address.

Because internet infrastructure is a public resource allocated by a public process for public benefit. Your other examples (Facebook ID, Yahoo! e-mail) are private allocations for private benefit.

Sure, we have Whois for IP address blocks as well, but that only identifies an ISP, not an individual. The DNS equivalent would be to have Whois that stops at the registrar level (which is approximately what "privacy protected" Whois does).

This analogy is flawed. Many number resources are passed through the registry and through the ISP all the way to the end-customer by use of technology like RWHOIS and SWIP. Each regional Internet registry defines local policy for this.

The simple fact is, I think, that LE is accustomed to DNS-Whois being convenient, and they would like to demand that it be as convenient as possible.

Having now worked with various LEAs on various cases for a few decades, I can tell you that they are nowhere near as lazy as you're making them out to be. They are overworked and understaffed and full of passionate people trying to make a positive difference in the world. Also, they find no part of DNS-Whois convenient and they find very few parts of it to be even a little bit useful, and they can't understand why the Internet community has set things up this way since the resulting downstream externalized economic costs are far greater than the avoided cost of having accountability in the allocation system.

Given any window between availability of the name and verification of personal data, they do not need to provide factual Whois data.

I am trying hard to think of a public benefit to being able to create millions of domain names (in aggregate) every day or to have any of them "available" before Whois has been verified by some heavy-weight mechanism. I note the private benefit to shareholders in DNS infrastructure companies, and the private benefit to those who register a large number of domains for noncooperative reasons such as e-crime or info-spam. I'm failing to think of a way that the public benefits from this beyond the rising tide that lifts all boats, i.e., domain names are cheaper because there are so many of them.

So while mandatory public Whois wouldn't harm many people who have legitimate reasons for not going public with their identities, it also wouldn't catch many crooks.

I am arguing for full accountability of all allocations of public resources. This means verified high quality Whois data and may also mean that we stop offering "Whois privacy". Full accountability would simply make e-criminals work harder by denying them the full capabilities of the public's domain name system. Catching crooks is not the endgame it's just a method of getting there.

There are other reasons for not publicizing Whois. It facilitates identity fraud in relation to domain name transfers, for example, when the registrant's contact information is a matter of public record.

I can think of several ways to protect domains against fraudulent transfers that would externalize no costs onto the rest of the economy and would be more efficient and more effective than "Whois privacy" can ever be at the same task.

Because internet infrastructure is a public resource allocated by a public process for public benefit.

The typical private individual using an ISP is allocated an IP address anonymously. Perhaps we should end this practice, and make it a matter of public record who is using any given IP address at any time. This would inflate the size of the Whois database somewhat, given the dynamic nature of the data, but IP addresses are public resources allocated for public benefit, so there can be no reasonable expectation of privacy. The data would be provided by ISPs who are generally positioned to verify the accuracy of the customer data. Law enforcement would be tremendously facilitated (including civil matters of Copyright infringement and libel, I might add).

Having now worked with various LEAs on various cases for a few decades, I can tell you that they are nowhere near as lazy as you're making them out to be.

I don't wish to imply that at all. Everyone wants their job to be no more difficult than is necessary. It just so happens that what's good for law enforcement is often at odds with personal liberty. That's why we have checks and balances which are good things, even though they make law enforcement less convenient than it could be.

I am trying hard to think of a public benefit to being able to create millions of domain names (in aggregate) every day or to have any of them "available" before Whois has been verified by some heavy-weight mechanism.

Let's assume, for the sake of argument, that there is no such benefit. Let's assume that you're absolutely right, and the only benefit is to the domain name registrants: increased convenience (faster activation), lower cost (no verification overhead), the possibility of anonymity, etc. These are all benefits that Pirate DNS can offer over the real thing if you have your way, just as Pirate File Sharing offers material devoid of the onerous DRM that big publishers so often demand.

You're the one expressing concern over Pirate DNS. How do you feel about giving it this marketing edge?

The data centers we use require our corporate info in the IP block record. I know this it not always true, I'm just pointing out that taking the next logical step is very possible. In fact even my ISP to my home allows me to configure the public IP detials, this was part of the static IP block service. Of course I can put anything in there I want which defeats the point we're getting at.

It's actually the same for DNS. Previously ISPs DNS systems accepted authoritative records that lacked a SOA record, now I'm seeing them block such records. They now demand a SOA record from the authority. The SOA does have an public "ownership tag". Is the tag correct or a lie? Likely it's correct since most probably don't get it much thought yet. The more it becomes significant in other ways the more motivation for "privacy" there may be.

As for ID fraud regarding transfers I've been vocal the other way. When someone is using privacy whois, and their domain gets stolen (intraregistrar transfers mostly) there is no public marker of the event nor even proof of ownership. While DomainTools database is riddled with errors it can be used to detect/verify these events in the case of domain theft ("whowas" history).

So were back to benefits versus deficits. I primarily want accountablity regarding the actions of third parties messing with other peoples infrastructure. Perhaps there are other ways than use of public records requirements, but for some time its seemed thats the best option to me.

DNS Security

IP Addressing

Cybersecurity

Promoted Posts

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»